Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly restricted during sandbox creation. A successful exploit of this vulnerability might lead to information disclosure.
AnalysisAI
Remote unauthenticated attackers can exfiltrate sensitive host environment variables from NVIDIA NeMoClaw by injecting malicious prompts that bypass sandbox access controls. The vulnerability affects the sandbox initialization component and enables information disclosure without requiring any authentication or user interaction (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). Cross-scope impact (S:C) indicates the attack breaks out of the intended sandbox boundary to access host-level secrets. EPSS and KEV status not available; this appears to be a recently disclosed AI/LLM agent security issue.
Technical ContextAI
NeMoClaw is an NVIDIA AI agent framework that uses sandbox environments to isolate agent execution. The vulnerability (CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere) occurs during sandbox initialization when environment variables from the host system are not properly restricted or filtered. Prompt injection attacks exploit the AI agent's instruction-following behavior to execute unintended commands - in this case, reading and transmitting environment variables that should remain isolated within the sandbox boundary. The affected CPE (cpe:2.3:a:nvidia:nemoclaw:*:*:*:*:*:*:*:*) indicates all currently released versions are vulnerable. This represents an emerging class of AI security vulnerabilities where natural language inputs bypass traditional access controls by manipulating the semantic layer rather than exploiting memory corruption or logic flaws.
RemediationAI
Consult the NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5837 for official patch availability and upgrade instructions. Until a vendor patch is applied, implement these compensating controls: (1) Remove all sensitive credentials and secrets from environment variables accessible to the NeMoClaw sandbox - use secure secret management services (HashiCorp Vault, AWS Secrets Manager) with runtime injection instead. Trade-off: requires application refactoring. (2) Implement strict input validation and sanitization on all prompts before passing to the agent, filtering for common injection patterns (system commands, file access attempts, variable expansion syntax). Trade-off: may break legitimate use cases requiring dynamic prompting. (3) Deploy NeMoClaw in network-isolated environments with no internet access and restrict to processing only pre-validated, trusted content. Trade-off: limits agent functionality and integration capabilities. (4) Enable comprehensive logging of all agent inputs and outputs to detect exfiltration attempts via outbound connections or encoded responses. Trade-off: performance overhead and storage costs. None of these mitigations fully prevent exploitation; patching is the only complete solution.
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c
The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G
The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de
The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a
nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26079